Barrister Breaches and Reasoned Response

Many law firms may not have noticed that IBM released their 18th annual Cost of a Data Breach Report on July 24, but they should take the time to read the insights that this year’s report reveals. While not specifically targeted toward the legal profession, the data compiled by the Ponemon Institute and translated by IBM Security offers a host of information that every law firm should pay attention to.

Key Insights from IBM’s 2023 Cost of a Data Breach Report

Key data points from the 2023 report reveal some interesting numbers related to the current state of information security programs across a broad range of industries and companies and lays out critical shortcomings in how organizations are protecting and responding to elevated adversarial activities across the global market.

From the report:

Internal discovery is ideal:

Not surprisingly, the report notes that internal discovery of a data breach is critical to lessening the impact of a security breach, but this only happens in about a third of the cases. Overwhelmingly, companies are still being informed about security breaches by third parties, including law enforcement and the adversaries themselves. Having a team actively monitoring the internal network is critical to ensuring you find out about an incident before someone else tells you about it.

Faster detection is better:

Going hand in hand with internal discovery, faster detection leads to shorter incidents and less recovery costs. The report shows that incidents that last less than 200 days cost an average of $3.9 million to remediate, while incidents over 200 days cost an average of $5 million to remediate. That is a 23% premium on delayed discovery and remediation. These numbers highlight the importance of having up-to-date detection tools like endpoint detection and response (EDR) technology and contemporary network monitoring tools like firewalls and multifactor authentication.

Smaller victims suffer more:

While costs of recovering from a data breach have fallen slightly for larger organizations (greater than 5000 employees), the costs have risen significantly for smaller (15%) and midsized companies (20%), which is where many law firms fall. These are important numbers for any law firm to pay attention to as they begin the budgeting process for their IT spending. It would also be a good time to start budgeting for security as a separate line item to ensure that funds are properly allocated to protecting firm and client data.

Practice decreases response time:

It goes without saying that the more you practice something, the better you get at doing it. Practicing your incident response process is an effective way of reducing the amount of time it takes to recover from a breach. And the IBM report indicates that there is also an economic incentive to practicing your response processes: evidence shows that organizations with “high levels of incident response planning and testing” spent $1.5 million less on breach-related costs on average than those organizations that did not have such discipline.

“Time is the new currency in cybersecurity both for the defenders and the attackers. As the report shows, early detection and fast response can significantly reduce the impact of a breach,” said Chris McCurdy, General Manager, Worldwide IBM Security Services.

ABA Guidance on Data Breach Preparation and Response

From a law firm perspective, there is clear guidance from the American Bar Association regarding the preparation and response that member firms should be taking regarding a data breach. The ABA’s Formal Opinion 483 picks up where Formal Opinion 477R leaves off and addresses the ethical obligations that lawyers have regarding a data breach and what steps need to be taken to inform the client.

Types of Security Incidents Affecting Client Confidential Data

According to Formal Opinion 483, there are three types of security incidents that affect client confidential data:

1. Exfiltration or theft of client confidential information
2. Ransomware attacks where the information is blocked or rendered inaccessible
3. Attacks on the information systems of the law firm which destroy the infrastructure where the confidential information resides, preventing the lawyer from using those systems to perform necessary legal services

In all three cases, the law firm must have sufficient security controls in place to detect and respond in a timely and appropriate manner. Notification rules are different in all three cases, but the response process needs to be clearly defined and efficient. As the IBM report explains, the speed at which the law firm can detect the security incident and determine all the necessary next steps will have a significant impact on the overall cost of the incident.

Incident Response Plan Importance and Definition

The Opinion states that lawyers with managerial authority within the firm “must make reasonable efforts to establish internal policies and procedures designed to provide reasonable assurance that all lawyers and staff in the firm will conform to the Rules of Professional Conduct.” Further, the Opinion calls out that, “such policies and procedures include those designed to detect and resolve conflicts of interest, identify dates by which actions must be taken in pending matters, account for client funds and property and ensure that inexperienced lawyers are properly supervised.”
This plainly alludes to the supposition that the law firm should have an Incident Response Plan that describes the steps to be taken during a security incident that could impact client confidential information, as well as clearly defining the roles and responsibilities for those involved in responding to such incidents.

Duty to Notify Clients and Keep Them Informed

The Opinion goes on to define the ABA’s position on Incident Response Plans: “The primary goal of any incident response plan is to have a process in place that will allow the firm to promptly respond in a coordinated manner to any type of security incident or cyber intrusion.” If client confidential information is stolen from the law firm, the lawyer has a duty to notify clients of the breach. Formal Opinion 95-398 informs lawyers that client breach notifications are a critical part of keeping the “client reasonably informed about the status of the matter.”

Assessing Law Firm Preparedness

Those in charge of law firm risk management or information system management should read the 2023 IBM Cost of a Data Breach report and think about their own capabilities for identifying a security incident, understanding what data may have been impacted, and how they would respond if client confidential information is affected. Law firm leadership should be asking:

1. Are we allocating enough budget to protect our client confidential information?
2. Who is monitoring our network for security breaches?
3. Do we have a documented Incident Response Plan?
4. Are all the right resources engaged in the response process and do they know what to do?

The answer to these questions could be worth millions of dollars in law firm revenue.